2. Organization and responsibilities
Data protection is a joint matter of our whole personnel. The data protection is managed and primarily led by the management of the company. The management of the company means the Board of Directors and the General Manager of I.S. Mäkinen. The responsibility is independent of whether any functions of the company have been outsourced or not.
In addition, every employee has a personal liability of the data protection for their own part and the obligation to comply with any given instructions or orders related to data protection. Thus every employee shall
inform any deviations in the data protection to the management
comply with and implement agreed measures and instructions
observe, maintain and develop the data protection related to their own area of responsibility
The contact person responsible for data protection matters at I.S. Mäkinen is Katja Viitala (phone: 040 535 2995, email: firstname.lastname@example.org).
3. Data protection
Data protection has significant relevance for the business of I.S. Mäkinen. The data protection means protecting personal data and other confidential or sensitive information related to a person. The data protection legislation requires that the processing of personal data shall be secured and the personal data shall be protected for any unnecessary processing.
The usage of data and data systems is monitored and any misuse shall be dealt with. The correctness of personal data shall be ensured. Such personal data must be encrypted from any outsiders, they shall not be destroyed or unnecessarily processed and they shall be accessible when needed. Processing of false, outdated or incorrect data is prohibited and the rectification of such data shall be performed as required.
The data can be used only by individuals who need the data and only to the extent that such data is needed in order to perform their duties. The data can be disclosed only by consent of the person whom the data concerns or when the legislation allows such data to be disclosed.
4. Data protection principles
4.1 Processing of personal data
I.S. Mäkinen has committed to processing personal data only to the extent that it is necessary to provide services for the clients, to fulfil contractual obligations, to deal with personnel matters and to fulfil other statutory obligations of I.S. Mäkinen. We process personal data only to the extent and as long as there are statutory grounds for processing personal data or processing is otherwise necessary for the purpose of use of data.
I.S. Mäkinen aims to that false, incorrect or outdated personal data is not processed. We intend to ensure the validity of processed personal data and update the data appropriately. Protection of personal data and information security is intended to be ensured during processing and storage periods so that outsiders do not have access to personal data.
4.2 Storage of personal data
I.S. Mäkinen stores personal data in accordance with the legislation in force and only as long as necessary for the purpose of use of data.
We aim to make reasonable efforts to maintain the validity of the personal data in our possession by deleting unnecessary data and updating outdated data.
Payroll accounting information (pay sheets per employee or other documents containing similar information) shall be stored for a period of ten (10) years from the end of financial year. Notes and receipts shall be stored for a period of six (6) years from the end of that financial year when the payment was made.
Employees’ employment contracts and references shall be stored for a period of ten (10) years from the end of employment.
Paper form material containing personal data shall be stored in locked premises. Paper form material shall also be destroyed after the end of both archiving obligation and purpose of use.
Further information on storage periods of different personal data is available in our following privacy statements: I.S. Mäkinen Oy’s employee register, I.S. Mäkinen Oy’s job applicant register and I.S. Mäkinen Oy’s subcontractors’ employee register. Information is also given by the contact person responsible for data protection matters.
4.3 Disclosure and transfer of personal data
I.S. Mäkinen may use service providers to whom the personal data stored and maintained by I.S Mäkinen as a controller may possibly be disclosed, as described in privacy statements and within the limits permitted by legislation. In addition, I.S. Mäkinen may use subcontractors and service providers who disclose their employees’ personal data to I.S. Mäkinen. I.S. Mäkinen may disclose such personal data further to cooperation parties, such as dockyards or ship owners, in accordance with privacy statements and only within the limits permitted by legislation.
This kind of third parties shall not use the data for any other purposes than those determined by I.S Mäkinen. I.S. Mäkinen obliges those parties to keep the data confidential and to make sure that appropriate level of data security is applied to protect personal data.
I.S. Mäkinen observes special diligence if personal data is transferred to any third parties outside the European Union or the European Economic Area. I.S. Mäkinen shall make sure that any transfer of personal data outside the EU or the EEA is executed appropriately and legally in accordance with the general data protection regulation and other legislation concerning processing of personal data.
Personal data can be disclosed in accordance with demands presented by competent authorities and requirements based on legislation.
4.4 Informing data subjects
Data subjects are always appropriately informed about processing of personal data at the time personal data is originally collected. Based on statutory grounds, I.S. Mäkinen shall principally draft a statement of each person register we maintain. The statements shall be updated regularly and kept appropriately available in the premises of I.S. Mäkinen or by other means.
Criteria for the information provided to the data subject is the following:
the information shall be concise, transparent, easy to understand and easily accessible
clear and plain language shall be used
in principle, the information shall be provided in written form with a separate privacy statement. Case-specific the information may be provided in electronic form. The information may be provided orally if the data subject requests.
information shall be provided free of charge
4.5 Control of the right to access data
Access to personal data, registers and information systems shall be restricted only to individuals who need the data in order to perform their duties. Employees have the right to process personal data only if there is a statutory ground. Personal data shall be processed only for the purpose of use and to the extent that is necessary.
4.6 Implementation of the rights of data subject
Legislation defines data subjects’ rights to personal data concerning themselves. First of all, the data subject has the right to receive transparent information on processing of his/her personal data as well as the right to find out which data about the data subject has been stored in controller’s register or that no such data is stored. If any personal data of the data subject is recorded to a register maintained by the controller, the data subject has the right to demand such data to be rectified, supplemented, transferred or erased as well as the right to restrict or prohibit processing of such personal data (unless if the controller has statutory grounds for processing of data).
If the data subject wants to receive personal data concerning themselves or demands such data to be rectified, supplemented, transferred, deleted, or to restrict or prohibit processing of personal data, the data subject shall make such request by providing a personally signed or otherwise certified document.
I.S. Mäkinen shall answer to data subject’s requests within one (1) month of receipt of the request, unless there are specific reasons to lengthen the response time. I.S. Mäkinen may ask the data subject to specify their request and to certify their identity before processing the request. I.S. Mäkinen can also refuse to act on the request based on grounds in applicable legislation.
Data subject has the right to lodge a complaint with the competent supervisory authority if I.S. Mäkinen has not complied with the data protection regulations applicable to its operations.
I.S. Mäkinen Oy (Business ID: 1860318-4), Tammitie 14, 21410 Vanhalinna.